one more thing:
to be clear, what i think the value of two rule-sets would be is to be able
to differentially log unauthenticated traffic from authenticated traffic.
does anyone else think this would be useful?